<!DOCTYPE html>
<html lang="en" class="no-js">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">

<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">

<script type="text/javascript">var BOOTSTRAP_VERSION ="lumen";
	var BOOTSTRAP_JS_HEAD =1;
	var BOOTSTRAP_CDN_ENABLE =0; var BOOTSTRAP_NAVBAR_TYPE =0; var BOOTSTRAP_LOGO_OPTION =0; var BOOTSTRAP_NAVBAR =1; var BootstrapInputFix =true;var BootstrapNavbarLineHeightFix =true;var BOOTSTRAP_EDT= 0; </script>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>Virus Bulletin :: Mayhem – a hidden threat for *nix web servers</title>
<meta name="description" content="Andrew Kovalev and colleagues describe ‘Mayhem’ – a new kind of malware for *nix web servers that has the functions of a traditional Windows bot, but which can act under restricted privileges in the system." />
<meta name="generator" content="concrete5 - 5.6.3.5" />
<script type="text/javascript">
var CCM_DISPATCHER_FILENAME = '/index.php';var CCM_CID = 1720;var CCM_EDIT_MODE = false;var CCM_ARRANGE_MODE = false;var CCM_IMAGE_PATH = "/concrete/images";
var CCM_TOOLS_PATH = "/index.php/tools/required";
var CCM_BASE_URL = "https://www.virusbulletin.com";
var CCM_REL = "";

</script>
<link rel="shortcut icon" href="/files/8914/5459/9485/VBIcon.png" type="image/x-icon" />
<link rel="icon" href="/files/8914/5459/9485/VBIcon.png" type="image/x-icon" />
<link rel="stylesheet" type="text/css" href="/concrete/css/ccm.base.css" />
<script type="text/javascript" src="/concrete/js/jquery.js"></script>
<script type="text/javascript" src="/concrete/js/ccm.base.js"></script>
<script type="text/javascript">
var COOKIES_ALLOWED=false;
</script>
<link rel="stylesheet" type="text/css" href="/packages/free_cookies_disclosure/css/cookies_disclosure.css" />
<!--[if lte IE 8]><link rel="stylesheet" type="text/css" href="/packages/free_cookies_disclosure/css/cookies_disclosure_ie.css" /><![endif]-->
<script type="text/javascript">
var COOKIES_DISCLOSURE_HIDE_INTERVAL=10;
</script>
<script type="text/javascript" src="/packages/free_cookies_disclosure/js/disclosure_hide.js"></script>
<link rel="stylesheet" type="text/css" href="/packages/bootstrap/css/lumen/bootstrap.css" />
<link rel="stylesheet" type="text/css" href="/packages/bootstrap/css/lumen/bootstrap-overwrites.css" />
<link rel="stylesheet" type="text/css" href="/packages/bootstrap/css/members.css" />
<script type="text/javascript" src="/packages/bootstrap/js/common/prettify.js"></script>
<script type="text/javascript" src="/packages/bootstrap/js/common/jquery.easing.1.3.js"></script>
<script type="text/javascript" src="/packages/bootstrap/js/common/bootstrap.min.js"></script>
<link rel="stylesheet" type="text/css" href="/libraries/css/jquery.fancybox.css" />
<script type="text/javascript" src="/libraries/js/jquery.fancybox.pack.js"></script>
<link rel="stylesheet" media="screen" type="text/css" href="/files/cache/css/bootstrap/typography.css" />
<script type="text/javascript" src="/index.php/tools/packages/free_cookies_disclosure/disclosure_i18n_js"></script>
<script type="text/javascript" src="/packages/free_cookies_disclosure/js/disclosure_ajax_form.js"></script>
<link rel="stylesheet" type="text/css" href="/concrete/blocks/page_list/view.css" />
<link rel="stylesheet" type="text/css" href="/packages/remo_expand/blocks/remo_expand/templates/vbexpand/view.css" />
<script type="text/javascript" src="/packages/remo_expand/js/jquery.color.js"></script>
<script type="text/javascript" src="/packages/remo_expand/js/jquery.ba-hashchange.js"></script>
<script type="text/javascript" src="/packages/remo_expand/js/remo.expand.js"></script>
<link rel="stylesheet" type="text/css" href="/packages/bootstrap/blocks/search/templates/VB_global_search/view.css" />
<link rel="stylesheet" type="text/css" href="/packages/travisn_spacer/css/ccm.tnspacer.css" />

<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.6.3/css/font-awesome.min.css" integrity="sha384-T8Gy5hrqNKT+hzMclPo118YTQO6cYprQmhrYwIiQ/3axmI1hQomh7Ud2hPOy8SP1" crossorigin="anonymous">

<script src="https://cdnjs.cloudflare.com/ajax/libs/prettify/r298/run_prettify.js" integrity="sha256-1SFdTXlsw0RkQ+iO0E91LDshGiIbPiTYqJto0px4wds=" crossorigin="anonymous"></script>
<!--[if gte IE 9]>
<script src="/packages/bootstrap/js/common/modernizr.js"></script>
<![endif]-->

<!--[if lt IE 9]>	
	
	<script src="/packages/bootstrap/js/common/html5shiv.js"></script>
	<script src="/packages/bootstrap/js/common/respond.min.js"></script>
	
<![endif]-->
</head>
<body data-spy="scroll" data-target=".bs-sidebar">

<div class="navbar  navbar-fixed-top navbar-default  bs-docs-nav">
<div class="navbar-inner">
<div class="container"><div class="row"><div class="col-sm-4 col-md-4 logo-position-1 col-logo">
<div class="navbar-header">
<button type="button" class="navbar-toggle btn_navbar_custom">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button><div class="mobile-clearfix"></div><div class="navbar-brand navbar-brand-area"><a href="/"><img border="0" class="ccm-image-block" alt="" src="/files/4614/4535/7515/logo-big.png" width="339" height="92" /></a></div> </div>
</div><div class="col-sm-8 col-md-8 logo-position-1 col-nav"> <div class="nav-collapse collapse nav_collapse_custom navbar-collapse"> <div style="clear:both"></div>
<div class="vb-global-search-div">
<form action="/index.php/global-search-results/" method="get">
<fieldset>
<input name="search_paths[]" type="hidden" value="" />
<input name="query" type="text" class="vb-global-search" placeholder="Search site..." />
<input name="submit" type="submit" value="Search!" style="display:none" />
</fieldset>
</form>
</div>
<div class="tnSpacer" style="height:48px"></div>
<ul class="nav nav-pills"><li class=" nav-first nav-item-6299"><a href="/newsletter/" target="_self" class=" nav-first nav-item-6299 ">Newsletter</a></li><li class=" nav-item-260"><a href="/conference/" target="_self" class=" nav-item-260 ">VB Conference</a></li><li class=" nav-item-166"><a href="/testing/" target="_self" class=" nav-item-166 ">VB Testing</a></li><li class=" nav-path-selected active nav-item-160"><a href="/virusbulletin/" target="_self" class=" nav-path-selected active nav-item-160 ">Bulletin</a></li><li class=" nav-last nav-item-130"><a href="/blog/" target="_self" class=" nav-last nav-item-130 ">Blog</a></li></ul> </div>
</div>
</div><div class="clearfix"></div>
</div>
</div>
</div>
<div class="navbar-top-fixed-space "><div class="clearfix"></div></div>

<div class="container m-top-20">
<div class="row">
<div class="col-md-9 col-sm-9 col-lg-9">
<div class="titlepage" xmlns=""><div><div><h1 class="title" xmlns="http://www.w3.org/1999/xhtml"><a id="vb201407-VBA"></a>Mayhem &ndash; a hidden threat for *nix web servers</h1></div><div><p class="pubdate" xmlns="http://www.w3.org/1999/xhtml">2014-07-17</p></div><div><div class="authorgroup" xmlns="http://www.w3.org/1999/xhtml"><div class="author titlepage"><h3 class="author"><span class="firstname">Andrew</span> <span class="surname">Kovalev</span></h3><span class="orgname">Yandex</span>, <span class="orgdiv">Russia</span></div><div class="author titlepage"><h3 class="author"><span class="firstname">Konstantin</span> <span class="surname">Otrashkevich</span></h3><span class="orgname">Yandex</span>, <span class="orgdiv">Russia</span></div><div class="author titlepage"><h3 class="author"><span class="firstname">Evgeny</span> <span class="surname">Sidorov</span></h3><span class="orgname">Yandex</span>, <span class="orgdiv">Russia</span></div><b class="editedby">Editor: </b><span class="editor"><span class="firstname">Martijn</span> <span class="surname">Grooten</span></span></div></div><div><div class="abstract" xmlns="http://www.w3.org/1999/xhtml"><p class="title"><b>Abstract</b></p><p>Andrew Kovalev and colleagues describe &lsquo;Mayhem&rsquo; &ndash; a new kind of malware for *nix web servers that has the functions of a traditional Windows bot, but which can act under restricted privileges in the system.</p></div></div><div><p class="copyright" xmlns="http://www.w3.org/1999/xhtml"><i>Copyright &copy; 2014 Virus Bulletin</i></p></div></div><hr /></div>
<div class="ccm-remo-expand">
<div id="ccm-remo-expand-title-2613" class="ccm-remo-expand-title ccm-remo-expand-closed" data-expander-speed="200">Table of contents</div><div id="ccm-remo-expand-content-2613" class="ccm-remo-expand-content"><div class="toc"><dl><dt><span class="sect1"><a href="#id3990072"></a></span></dt><dt><span class="sect1"><a href="#id4775655">Introduction</a></span></dt><dt><span class="sect1"><a href="#id3618593">Malware representation</a></span></dt><dt><span class="sect1"><a href="#id2140477">Shared object initialization</a></span></dt><dt><span class="sect1"><a href="#id3258521">Main loop function</a></span></dt><dt><span class="sect1"><a href="#id3258525">C&amp;C commands</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id4124981">The &#39;R&#39; command (outbound)</a></span></dt><dt><span class="sect2"><a href="#id3527753">The &#39;G&#39; command (inbound)</a></span></dt><dt><span class="sect2"><a href="#id3352052">The &#39;F&#39; command (outbound)</a></span></dt><dt><span class="sect2"><a href="#id4645114">The &lsquo;L&rsquo; command (inbound)</a></span></dt><dt><span class="sect2"><a href="#id3202775">The &lsquo;Q&rsquo; command (outbound &amp; inbound)</a></span></dt><dt><span class="sect2"><a href="#id4111963">The &lsquo;P&rsquo; command (outbound)</a></span></dt><dt><span class="sect2"><a href="#id4597995">The &lsquo;S&rsquo; command (inbound)</a></span></dt><dt><span class="sect2"><a href="#id4136292">Summary</a></span></dt></dl></dd><dt><span class="sect1"><a href="#id3810933">Configuration</a></span></dt><dt><span class="sect1"><a href="#id3291713">Hidden file system</a></span></dt><dt><span class="sect1"><a href="#id3036057">Analysis of plug-ins</a></span></dt><dd><dl><dt><span class="sect2"><a href="#id4627350">Plug-ins interface</a></span></dt><dt><span class="sect2"><a href="#id3727558"><span class="emphasis"><em>rfiscan.so</em></span></a></span></dt><dt><span class="sect2"><a href="#id3215304"><span class="emphasis"><em>wpenum.so</em></span></a></span></dt><dt><span class="sect2"><a href="#id3808212"><span class="emphasis"><em>cmsurls.so</em></span></a></span></dt><dt><span class="sect2"><a href="#id4705740"><span class="emphasis"><em>bruteforce.so</em></span></a></span></dt><dt><span class="sect2"><a href="#id3855385"><span class="emphasis"><em>bruteforceng.so</em></span></a></span></dt><dt><span class="sect2"><a href="#id3869923"><span class="emphasis"><em>ftpbrute.so</em></span></a></span></dt><dt><span class="sect2"><a href="#id3487865"><span class="emphasis"><em>crawlerng.so</em></span></a></span></dt><dt><span class="sect2"><a href="#id4333706"><span class="emphasis"><em>crawlerip.so</em></span></a></span></dt></dl></dd><dt><span class="sect1"><a href="#id2338526">Analysis of C&amp;Cs</a></span></dt><dt><span class="sect1"><a href="#id3868084">Comparison with other malware families</a></span></dt><dt><span class="sect1"><a href="#id4114481">Conclusions</a></span></dt><dt><span class="sect1"><a href="#id4464234">Acknowledgements</a></span></dt></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id3990072"></a></h2></div></div></div><p>Over the last several years, malware writers have clearly come to understand that gaining access to web servers can bring more benefits than infecting users&rsquo; PCs. Nowadays, there are millions of completely unprotected web servers with different kinds of vulnerabilities, so it is easy for attackers to upload web shells and gain access to them. Although in the vast majority of cases such access is restricted by the web server&rsquo;s rights on the target system, attackers successfully find ways to gain maximum advantage. In this article we describe &lsquo;Mayhem&rsquo; &ndash; a new kind of malware for *nix web servers that has the functions of a traditional <span class="emphasis"><em>Windows</em></span> bot, but which can act under restricted privileges in the system.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id4775655"></a>Introduction</h2></div></div></div><p>The infection of websites and even entire web servers has become common. Usually such infections are used for stealing traffic, black hat SEO, drive-by download attacks, and so on, and in the vast majority of cases this kind of malware comprises relatively simple PHP scripts. But in the last two years, several more sophisticated malware families have been discovered. Mayhem is a multi-purpose modular bot for web servers. Our team studied the bot in order to gain an understanding not only of the client part of the malware, but also some of its command and control (C&amp;C) servers, allowing us to collect some statistics.</p><p>This article should be considered as an addition to the one published by the<span class="emphasis"><em> Malware Must Die</em></span> team [<span class="citation"><a href="#citation.1">1</a></span>]. We faced the Mayhem bot in April 2014, and this paper is a result of our own independent research. [<span class="citation"><a href="#citation.2">2</a></span>] is the only other publication on Mayhem we&rsquo;ve found. During our research, we also discovered that Mayhem is a continuation of a bigger &lsquo;Fort Disco&rsquo; brute-force campaign, disclosed in [<span class="citation"><a href="#citation.3">3</a></span>].</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id3618593"></a>Malware representation</h2></div></div></div><p>Initially, the piece of malware appears as a PHP script. We analysed the version of the PHP dropper with the SHA256 hash: b3cc1aa3259cd934f56937e6371f270c23edf96d2c0801 728b0379dd07a0a035.</p><p>The results of analysing this script with the <span class="emphasis"><em>VirusTotal</em></span> service are presented in <a href="#table.1">Table 1</a>.</p><div class="table"><a id="table.1"></a><table border="1" summary="The results of checking the PHP dropper using the VirusTotal
      service."><colgroup><col /><col /></colgroup><thead><tr><th align="center">Date</th><th align="center">VirusTotal results</th></tr></thead><tbody><tr><td>2014-06-17</td><td>3/54</td></tr><tr><td>2014-06-05</td><td>3/51</td></tr><tr><td>2014-06-03</td><td>3/52</td></tr><tr><td>2014-04-06</td><td>1/51</td></tr><tr><td>2014-03-18</td><td>1/49</td></tr></tbody></table><p class="title"><b>Table&nbsp;1.&nbsp;The results of checking the PHP dropper using the VirusTotal service.</b></p></div><p>After execution, the script kills all &lsquo;/usr/bin/host&rsquo; processes, identifies the system architecture (x64 or x86) and system type (<span class="emphasis"><em>Linux</em></span> or <span class="emphasis"><em>FreeBSD</em></span>), and drops a malicious shared object named &lsquo;libworker.so&rsquo;. The script also defines a variable &lsquo;AU&rsquo;, which contains the full URL of the script being executed. The first part of the PHP script is shown in <a href="#figure.1">Figure 1</a>.</p><div class="figure"><a id="figure.1"></a><div class="mediaobject"><img alt="First part of the PHP dropper." src="/uploads/images/figures/2014/07/Mayhem-fig1.jpg" /></div><p class="title"><b>Figure&nbsp;1.&nbsp;First part of the PHP dropper.</b></p></div><p>After that, the PHP dropper creates a shell script named &lsquo;1.sh&rsquo;, the contents of which are depicted in <a href="#figure.2">Figure 2</a>. Besides all of this, the script also creates the environment variable &lsquo;AU&rsquo;, which is the same as the one defined in the PHP script.</p><div class="figure"><a id="figure.2"></a><div class="mediaobject"><img alt="The contents of the &lsquo;1.sh&rsquo; script.2." src="/uploads/images/figures/2014/07/Mayhem-fig2.jpg" /></div><p class="title"><b>Figure&nbsp;2.&nbsp;The contents of the &lsquo;1.sh&rsquo; script.2.</b></p></div><p>Then the PHP dropper executes the shell script by running the command &lsquo;at now -f 1.sh&rsquo;. This command adds a cron task. After execution, the dropper waits for at most five seconds, then deletes the corresponding cron task. If execution of the &lsquo;at&rsquo; command fails, the dropper runs the &lsquo;1.sh&rsquo; script directly. This part of the PHP dropper is presented in <a href="#figure.3">Figure 3</a>.</p><div class="figure"><a id="figure.3"></a><div class="mediaobject"><img alt="The last part of the PHP dropper." src="/uploads/images/figures/2014/07/Mayhem-fig3.jpg" /></div><p class="title"><b>Figure&nbsp;3.&nbsp;The last part of the PHP dropper.</b></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id2140477"></a>Shared object initialization</h2></div></div></div><p>The LD_PRELOAD technique allows the shared object to be the first to be loaded and allows it to hook into different functions easily. If a standard library function is re implemented in such a library, that library will intercept all calls to that function. The malicious sample contains its own implementation of the &lsquo;exit&rsquo; function, so this one is invoked by &lsquo;/usr/bin/host&rsquo; instead of the original one.</p><p>During execution of the hooked &lsquo;exit&rsquo; function an additional initialization function is called. The workflow of this function is shown in <a href="#figure.4">Figure 4</a>. During the initialization, the following steps are performed:</p><div class="itemizedlist"><ul type="disc"><li><p>An ELF file with only an &lsquo;exit&rsquo; function is dropped</p></li><li><p>The process forks and the child process runs the ELF file and finishes its execution</p></li><li><p>The parent process performs further initialization: it tries to connect to the <span class="emphasis"><em>Google</em></span> DNS service (the IP address is 8.8.8.8), decrypts and parses the configuration file and obtains the parameters of the system.</p></li></ul></div><div class="figure"><a id="figure.4"></a><div class="mediaobject"><img alt="The workflow of the initialization function." src="/uploads/images/figures/2014/07/Mayhem-fig4.jpg" /></div><p class="title"><b>Figure&nbsp;4.&nbsp;The workflow of the initialization function.</b></p></div><p>Once initialization is complete, the shared object file is removed from the disk. The malware then tries to open and map to memory a file with a hidden file system. If the file does not exist, it is created, mapped to memory, and a hidden file system is initialized. Then this process forks, the parent process exits, and the child process continues the execution. A high-level workflow of the hooked &lsquo;exit&rsquo; function is shown in <a href="#figure.5">Figure 5</a>. The successful execution path is marked on the workflow in red. As you can see, the execution path is neither only parent nor only child. We assume that this is an anti-debugging trick for debuggers that are configured to follow only child processes or only parent processes after a fork.</p><div class="figure"><a id="figure.5"></a><div class="mediaobject"><img alt="High-level workflow of the hooked &lsquo;exit&rsquo; function." src="/uploads/images/figures/2014/07/Mayhem-fig5.jpg" /></div><p class="title"><b>Figure&nbsp;5.&nbsp;High-level workflow of the hooked &lsquo;exit&rsquo; function.</b></p></div><p>After all of these steps, the child process (the only one that is alive) runs the main infinite loop of the malware. The malware sleeps for the period of time defined in its configuration and runs functions that do useful jobs.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id3258521"></a>Main loop function</h2></div></div></div><p>This function first sets up a socket for communication with the C&amp;C server, then checks whether information about the infected host has been sent to the C&amp;C since this working session started, i.e. since the malware was executed. If the flag indicates that information has successfully been sent to the C&amp;C server, the malware sends a &lsquo;ping&rsquo; packet, then receives and executes C&amp;C commands.</p><p>If the flag indicates that the information has not been sent yet, the malware prepares an HTTP packet that contains the output of the &lsquo;uname -a&rsquo; command, the architecture of the infected system, and information about the rights of the system user executing the process. After the packet has been sent, the malware reads the C&amp;C response and if something goes wrong it exits this function. If everything is fine, the malware updates the flag and tries to read and execute other commands in the C&amp;C response.</p><p>A high-level workflow of the main loop function is presented in <a href="#figure.6">Figure 6</a>.</p><div class="figure"><a id="figure.6"></a><div class="mediaobject"><img alt="High-level workflow of the main loop function in the shared object." src="/uploads/images/figures/2014/07/Mayhem-fig6.jpg" /></div><p class="title"><b>Figure&nbsp;6.&nbsp;High-level workflow of the main loop function in the shared object.</b></p></div><p>During the work, the malware maintains four lists and two queues. One queue is used for input strings (strings received from the C&amp;C server), and the other is used for output strings (strings that will be sent to the C&amp;C server). The first list is used to store the addresses of the working functions of plug-ins, the second to store the addresses of functions that process data before writing to a socket (one used to transmit data to the C&amp;C), the third to store the addresses of functions that process data read from a socket (data received from the C&amp;C), and the fourth to store the addresses of functions that will process data from string queues. <a href="#figure.7">Figure 7</a> shows how these queues and lists are used in the malware&rsquo;s dataflow.</p><div class="figure"><a id="figure.7"></a><div class="mediaobject"><img alt="Workflow of data received from the C&amp;C server." src="/uploads/images/figures/2014/07/Mayhem-fig7.jpg" /></div><p class="title"><b>Figure&nbsp;7.&nbsp;Workflow of data received from the C&amp;C server.</b></p></div><p><a href="#figure.8">Figure 8</a> shows the dataflow when the malware processes a task.</p><div class="figure"><a id="figure.8"></a><div class="mediaobject"><img alt="Dataflow of strings that are processed by plug-ins." src="/uploads/images/figures/2014/07/Mayhem-fig8.jpg" /></div><p class="title"><b>Figure&nbsp;8.&nbsp;Dataflow of strings that are processed by plug-ins.</b></p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id3258525"></a>C&amp;C commands</h2></div></div></div><p>There are seven different commands that are used in communications between the C&amp;C server and the malware. The commands can be divided into two groups: inbound commands (C&amp;C to bot) and outbound commands (bot to C&amp;C). All of these commands are sent in HTTP POST requests/responses, i.e. inbound commands are transmitted in HTTP POST requests and outbound commands are transmitted in HTTP responses to the POST requests.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id4124981"></a>The &#39;R&#39; command (outbound)</h3></div></div></div><p>By sending this command the malware tells the C&amp;C that it has successfully been loaded and is ready to work. If the web server is run with root privileges, the format of the &lsquo;R&rsquo; command sent to the C&amp;C is:</p><pre class="programlisting">R,20130826,&lt;system architecture - 64 or 32&gt;,&lt;EI_OSABI value from &lsquo;/usr/bin/host&rsquo; ELF header&gt;,
ROOT,&lt;output of &lsquo;uname -a command&rsquo;&gt;</pre><p>If the web server is run with restricted privileges, then the command is the same, but instead of &lsquo;ROOT&rsquo; there is the output of getenv(&lsquo;AU&rsquo;) &ndash; the URL for the PHP script used to start the malware. If everything is fine, the C&amp;C server returns &lsquo;R,200&rsquo;.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3527753"></a>The &#39;G&#39; command (inbound)</h3></div></div></div><p>This command is sent from the C&amp;C server to the malware. The command has the following format:</p><pre class="programlisting">G,&lt;task ID&gt;</pre><p>If the current task ID is not equal to the one received, the malware will finalize the currently running task and start a number of new working threads. The number of working threads is set by the &lsquo;L&rsquo; command.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3352052"></a>The &#39;F&#39; command (outbound)</h3></div></div></div><p>This command is used to request files from the server. If the malware wants to request a new file, it will send the following command:</p><pre class="programlisting">F,&lt;file name&gt;,0</pre><p>If the malware wants to check if there is a new version of a previously obtained file, it will send:</p><pre class="programlisting">F,&lt;file name&gt;,&lt;CRC32 sum of the file&gt;</pre><p>If the file is not found on the C&amp;C server, the server will respond:</p><pre class="programlisting">F,404,&lt;file name&gt;</pre><p>If the file hasn&rsquo;t been changed since it was received, the C&amp;C will respond:</p><pre class="programlisting">F,304,-</pre><p>If the new/updated file is found, the server will respond</p><pre class="programlisting">F,200,&lt;file name&gt;,&lt;BASE64 encoded file data&gt;</pre><p>After receiving the command with data, the malware decodes the BASE64-encoded data, writes it to disk and into a hidden file system. Then it tries to determine whether the received file is a plug-in. If the file is a plug-in, the malware checks its CRC32 sum, which is stored in unused ELF header fields, and loads the plug-in into memory.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id4645114"></a>The &lsquo;L&rsquo; command (inbound)</h3></div></div></div><p>The &lsquo;L&rsquo; command is used by the C&amp;C server to configure the malware and to make it load a plug-in. If the C&amp;C wants to configure the core module of the malware, it will send:</p><pre class="programlisting">L,core,&lt;number of working threads&gt;,&lt;sleep timeout&gt;,&lt;socket timeout&gt;</pre><p>After receiving this command, the malware will finalize all working threads, then update the number of working threads, the sleep timeout and the socket timeout.</p><p>If the C&amp;C wants the malware to load a plug-in, it will send:</p><pre class="programlisting">L,&lt;plug-in file name&gt;,&lt;plug-in parameters separated by comma&gt;</pre><p>If the malware receives this command and another plug-in is already running, the running plug-in will be stopped and the new one will be looked up in the hidden file system. If the lookup fails, a file with plug-in will be requested from the C&amp;C via the &lsquo;F&rsquo; command. Then the plug-in will be loaded, initialized and run.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3202775"></a>The &lsquo;Q&rsquo; command (outbound &amp; inbound)</h3></div></div></div><p>This command is used to transmit working data from the C&amp;C to the malware and vice versa. If the C&amp;C wants to add a string to the malware&rsquo;s processing queue, it will send:</p><pre class="programlisting">Q,string</pre><p>All of these strings are added to the malware&rsquo;s input queue and will be processed by a plug-in that is being run. If the malware wants to upload the results of its work, it will send:</p><pre class="programlisting">Q,&lt;plug-in name&gt;, &lt;string with results&gt;</pre><p>then remove these strings from its output queue.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id4111963"></a>The &lsquo;P&rsquo; command (outbound)</h3></div></div></div><p>This command is used by the malware to send its current state to the C&amp;C server. The format of this command is:</p><pre class="programlisting">P,&lt;flag is a task is run&gt;,&lt;UNKNOWN&gt;,&lt;count of working threads&gt;,&lt;number of read/write requests to 
servers per second&gt;,&lt;total number of read/write operations to server since this number has been 
set to zero&gt;</pre></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id4597995"></a>The &lsquo;S&rsquo; command (inbound)</h3></div></div></div><p>If the malware receives this command it will finalize all working threads, empty the input and output queue and release other system resources. After that, it is ready to process a new task.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id4136292"></a>Summary</h3></div></div></div><p>In summary, the commands are as follows:</p><div class="variablelist"><dl><dt><span class="term">Outbound commands</span></dt><dd><p>R - report home</p><p>F - request file</p><p>Q - send data</p><p>P - report state</p></dd><dt><span class="term">Inbound commands</span></dt><dd><p>G - run new task</p><p>L - load plug-in</p><p>Q - send data</p><p>S - stop current task</p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id3810933"></a>Configuration</h2></div></div></div><p>The shared object contains configuration information stored in the data segment in an encrypted form. The decryption key is also stored in the data segment. Initially, only the first eight bytes are decrypted, then the malware checks whether the last four bytes are equal to 0xDEADBEEF. If they are, then the first four bytes represent the length of the encrypted data. After this, the rest of the ciphertext is decrypted. <a href="#figure.9">Figure 9</a> shows the pseudocode of the decryption algorithm.</p><div class="figure"><a id="figure.9"></a><div class="mediaobject"><img alt="The decryption algorithm used in the malware." src="/uploads/images/figures/2014/07/Mayhem-fig9.jpg" /></div><p class="title"><b>Figure&nbsp;9.&nbsp;The decryption algorithm used in the malware.</b></p></div><p>We analysed the code of the algorithm and found that this is an implementation of the XTEA encryption algorithm [<span class="citation"><a href="#citation.4">4</a></span>], [<span class="citation"><a href="#citation.5">5</a></span>] with the number of rounds equal to 32; the mode of operations is ECB [<span class="citation"><a href="#citation.6">6</a></span>], [<span class="citation"><a href="#citation.7">7</a></span>].</p><p>An example of the decrypted configuration is shown in <a href="#figure.10">Figure 10</a>.</p><div class="figure"><a id="figure.10"></a><div class="mediaobject"><img alt="Decrypted configuration of the sample." src="/uploads/images/figures/2014/07/Mayhem-fig10.jpg" /></div><p class="title"><b>Figure&nbsp;10.&nbsp;Decrypted configuration of the sample.</b></p></div><p>All the samples we analysed had the same format for the configuration. The first part of the configura-tion contains special flags and offsets to data in the rest of the configuration array. The format of the decrypted configuration is presented in <a href="#table.2">Table 2</a>.</p><div class="table"><a id="table.2"></a><table border="1" summary="Description of the malware configuration."><colgroup><col /><col /><col /></colgroup><thead><tr><th align="center">Offset</th><th align="center">Size in bytes</th><th align="center">Description</th></tr></thead><tbody><tr><td>0</td><td>4</td><td>This field contains the number of eight-byte blocks in the configuration &ndash; in other words, the length of the configuration in eight-byte blocks</td></tr><tr><td>4</td><td>4</td><td>Special marker 0xDEADBEEF</td></tr><tr><td>8</td><td>4</td><td>Offset to the C&amp;C URL</td></tr><tr><td>12</td><td>4</td><td>Sleep time between executions of the main loop function of the malware</td></tr><tr><td>16</td><td>4</td><td>Size of file mapping for the hidden file system</td></tr><tr><td>20</td><td>4</td><td>Offset to the name of the file that contains the hidden file system</td></tr></tbody></table><p class="title"><b>Table&nbsp;2.&nbsp;Description of the malware configuration.</b></p></div><p>As can be seen from <a href="#table.2">Table 2</a>, a C&amp;C address is defined directly in the malware configuration and no DGA is used.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id3291713"></a>Hidden file system</h2></div></div></div><p>As stated previously, the malware uses a hidden file system to store its files. The file system comprises a file that is created during the initialization. The filename of the hidden file system is defined in the configuration, but its name is usually &lsquo;.sd0&rsquo;. To work with this file system an open-source library &lsquo;FAT 16/32 File System Library&rsquo;, [<span class="citation"><a href="#citation.8">8</a></span>] is used. The library contains code to create and work with the FAT file system, but it is not used in the original form &ndash; some functions have been modified to support encryption. Every block is encrypted with 32 rounds of XTEA algorithm in ECB mode and the encryption key differs from block to block.</p><p>The hidden file system is used to store plug-ins and files with strings to process: lists of URLs, usernames, passwords, etc. The content of one instance of the file system is shown in <a href="#figure.11">Figure 11</a>.</p><div class="figure"><a id="figure.11"></a><div class="mediaobject"><img alt="The content of one instance of the file system." src="/uploads/images/figures/2014/07/Mayhem-fig11.jpg" /></div><p class="title"><b>Figure&nbsp;11.&nbsp;The content of one instance of the file system.</b></p></div><p>We developed a simple tool based on the open-source library [<span class="citation"><a href="#citation.8">8</a></span>] for decrypting and extracting files from such file systems. The script can be found in [<span class="citation"><a href="#citation.9">9</a></span>].</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id3036057"></a>Analysis of plug-ins</h2></div></div></div><p>As mentioned before, the malware has functionality which allows it to use plug-ins. During our research we found eight different plug-ins for this bot. Plug-ins and their configuration files are stored in the hidden file system. All the plug-ins described here have been found in the wild and are used by the malware.</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id4627350"></a>Plug-ins interface</h3></div></div></div><p>Every plug-in exports a structure that contains two special markers: pointers to useful plug-in functions and a string that contains the plug-in name. Every plug-in has at least two such pointers: a pointer to the plug-in initialization function and a pointer to the function that performs deinitialization. Two markers in this structure are constants: 0xDEADBEEF and a constant 20130826 that we suspect is a version of the plug-in. An example of such a structure is shown in <a href="#figure.12">Figure 12</a>.</p><div class="figure"><a id="figure.12"></a><div class="mediaobject"><img alt="An example of the structure that describes one of the plug-ins." src="/uploads/images/figures/2014/07/Mayhem-fig12.jpg" /></div><p class="title"><b>Figure&nbsp;12.&nbsp;An example of the structure that describes one of the plug-ins.</b></p></div><p>Due to the fact that all of the plug-ins are stored in the hidden file system, none of them were detected by any AV vendor when we checked on <span class="emphasis"><em>VirusTotal</em></span>.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3727558"></a><span class="emphasis"><em>rfiscan.so</em></span></h3></div></div></div><p>SHA256 hash sum: 9efed12a67e5835c73df5882321c4cd2dd2 3e4a571e5f99ccd7ec13176ab12cb</p><p>This plug-in is used to find websites that contain a remote file inclusion (RFI) vulnerability. During initialization, the plug in downloads a list of patterns and a list of websites to check. Then it sends special HTTP requests to the websites that try to include the &lsquo;http://www.google.com/humans.txt&rsquo; file and analyse the corresponding HTTP responses. If the HTTP response contains the &lsquo;we can shake&rsquo; substring, then the plug-in decides that the website has a remote file inclusion vulnerability. A part of the list with patterns is shown in <a href="#figure.13">Figure 13</a>.</p><div class="figure"><a id="figure.13"></a><div class="mediaobject"><img alt="Some patterns used by &lsquo;rfiscan.so&rsquo; to find websites that are vulnerable to RFI." src="/uploads/images/figures/2014/07/Mayhem-fig13.jpg" /></div><p class="title"><b>Figure&nbsp;13.&nbsp;Some patterns used by &lsquo;rfiscan.so&rsquo; to find websites that are vulnerable to RFI.</b></p></div><p>The results are transmitted to the C&amp;C server with the use of &lsquo;Q&rsquo; commands. The meanings of the commands are presented in <a href="#table.3">Table 3</a>.</p><div class="table"><a id="table.3"></a><table border="1" summary="Descriptions of &lsquo;rfiscan&rsquo; plug-in &lsquo;Q&rsquo; commands."><colgroup><col /><col /></colgroup><thead><tr><th align="center">Command</th><th align="center">Description</th></tr></thead><tbody><tr><td>Q,rfiscan,&lt;host&gt;,&lt;vulnerable URL&gt;</td><td>An RFI vulnerability has successfully been found</td></tr><tr><td>Q,rfiscan,&lt;host&gt;,-</td><td>RFI vulnerabilities haven&rsquo;t been found</td></tr></tbody></table><p class="title"><b>Table&nbsp;3.&nbsp;Descriptions of &lsquo;rfiscan&rsquo; plug-in &lsquo;Q&rsquo; commands.</b></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3215304"></a><span class="emphasis"><em>wpenum.so</em></span></h3></div></div></div><p>SHA256 hash sum: 9707e7682dd4f2c7850fdff0b0b33a3f499e93513f025174451b503eaeadea88</p><p>This plug-in is used to enumerate users of <span class="emphasis"><em>WordPress</em></span> sites. The working function of this plug-in receives a URL, transforms it, and makes HTTP requests with the following query template:</p><pre class="programlisting">&lt;original query without last part&gt;/?author=&lt;user id&gt;</pre><p>The user ID ranges from 0 to 5. If the corresponding HTTP response contains the substring &lsquo;Location:&rsquo; and the destination URL contains the substring &lsquo;/author/&rsquo; then the username is extracted from the destination URL. The first user to be found is transmitted to the C&amp;C with the use of &lsquo;Q&rsquo; commands. The meanings of the commands are presented in <a href="#table.4">Table 4</a>.</p><div class="table"><a id="table.4"></a><table border="1" summary="Descriptions of &lsquo;wpenum&rsquo; plug-in &lsquo;Q&rsquo; commands."><colgroup><col /><col /></colgroup><thead><tr><th align="center">Command</th><th align="center">Description</th></tr></thead><tbody><tr><td>Q,wpenum,&lt;original URL&gt;,&lt;transformed URL&gt;,&lt;user name&gt;</td><td>Username has successfully been found</td></tr><tr><td>Q,wpenum,&lt;original URL&gt;,&lt;original URL&gt;,no_matches</td><td>No username has been found</td></tr><tr><td>Q,wpenum,&lt;original URL&gt;,-</td><td>Connection failed</td></tr></tbody></table><p class="title"><b>Table&nbsp;4.&nbsp;Descriptions of &lsquo;wpenum&rsquo; plug-in &lsquo;Q&rsquo; commands.</b></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3808212"></a><span class="emphasis"><em>cmsurls.so</em></span></h3></div></div></div><p>SHA256 hash sum: 84725fb3f68bde780a6349d0419bec39b03c85591e4337c6a02dcaa87b2e4ea3</p><p>The working function of this plug-in receives the hostname, makes an HTTP GET request to this host with the &lsquo;/wp-login.PHP&rsquo; query, and searches for the substring &lsquo;name=\&quot;log\&quot;&rsquo; in the corresponding query. So this plug-in identifies user login pages in sites based on the <span class="emphasis"><em>WordPress</em></span> CMS. The results are sent to the C&amp;C with the use of &lsquo;Q&rsquo; commands. The meanings of the commands are presented in <a href="#table.5">Table 5</a>.</p><div class="table"><a id="table.5"></a><table border="1" summary="Descriptions of &lsquo;cmsurls.so&rsquo; plug-in &lsquo;Q&rsquo; commands."><colgroup><col /><col /></colgroup><thead><tr><th align="center">Command</th><th align="center">Description</th></tr></thead><tbody><tr><td>Q,cmsurls,&lt;hostname&gt;,&lt;URL to login page (ends with &lsquo;wp-login.PHP&rsquo;)&gt;</td><td>URL for login page has successfully been found</td></tr><tr><td>Q,cmsurls,&lt;hostname&gt;</td><td>URL for login page has not been found</td></tr><tr><td>Q,cmsurls,&lt;hostname&gt;,-</td><td>Connection failed</td></tr></tbody></table><p class="title"><b>Table&nbsp;5.&nbsp;Descriptions of &lsquo;cmsurls.so&rsquo; plug-in &lsquo;Q&rsquo; commands.</b></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id4705740"></a><span class="emphasis"><em>bruteforce.so</em></span></h3></div></div></div><p>SHA256 hash sum: 6f96d63ab5288a38e8893043feee668eb6cee7fd7af8ecfed16314fdba4d32a6</p><p>This plug-in is used to brute force passwords for sites based on the <span class="emphasis"><em>WordPress</em></span> and <span class="emphasis"><em>Joomla</em></span> CMSs. The plug-in doesn&rsquo;t support HTTPS. During our research, we found a dictionary containing passwords used by the plug-in. The dictionary contains 17,911 passwords. The lengths of the passwords range from 1 to 32 symbols.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3855385"></a><span class="emphasis"><em>bruteforceng.so</em></span></h3></div></div></div><p>SHA256 hash sum: 992c36b2fcc59117cf7285fa39a89386c62a56fe4f0a192a05a379e7a6dcdea6</p><p>This plug-in is also used to brute force passwords for sites, but unlike bruteforce.so, this plug-in supports HTTPS, and regular expressions, and can be configured to brute force almost any login page. An example of such a configuration is presented in <a href="#figure.14">Figure 14</a>.</p><div class="figure"><a id="figure.14"></a><div class="mediaobject"><img alt="An example configuration of the &lsquo;bruteforceng.so&rsquo; plug-in." src="/uploads/images/figures/2014/07/Mayhem-fig14.jpg" /></div><p class="title"><b>Figure&nbsp;14.&nbsp;An example configuration of the &lsquo;bruteforceng.so&rsquo; plug-in.</b></p></div><p>We analysed other configuration files for this plug-in and found that it was also used to brute force credentials for DirectAdmin control panels.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3869923"></a><span class="emphasis"><em>ftpbrute.so</em></span></h3></div></div></div><p>SHA256 hash sum: 38ee32e644cb8421a89cbcba9c844a5b482b4524d51f5c10dcb582c3c4ed8101</p><p>This plug-in is used to brute force FTP accounts.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3487865"></a><span class="emphasis"><em>crawlerng.so</em></span></h3></div></div></div><p>SHA256 hash sum: d9d3d93c190e52cc0860f389f9554a86c8c67d56d2f4283356ca7cf5cda178a0</p><p>This plug-in is used to crawl web pages and extract useful information. A list of websites to crawl, as well as depth level and other parameters, are obtained from the C&amp;C server. The plug-in also supports HTTPS protocol and uses the SLRE [10] library to work with regular expressions. The plug-in is very flexible. One of the configuration files for this plug-in is presented in <a href="#figure.15">Figure 15</a>. As you can see, in this case the plug-in was used to find and collect pharmacy-related web pages.</p><div class="figure"><a id="figure.15"></a><div class="mediaobject"><img alt="A configuration file of the &lsquo;crawlerng.so&rsquo; plug-in." src="/uploads/images/figures/2014/07/Mayhem-fig15.jpg" /></div><p class="title"><b>Figure&nbsp;15.&nbsp;A configuration file of the &lsquo;crawlerng.so&rsquo; plug-in.</b></p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id4333706"></a><span class="emphasis"><em>crawlerip.so</em></span></h3></div></div></div><p>SHA256 hash sum: 1fc6a6a98bf854421054254bd504f0b596f01fcb9118a3e525c16049a26e3e11</p><p>This plug-in is the same as the &lsquo;crawlerng.so&rsquo; plug-in. The only difference is that this one works with a list of IP addresses instead of URLs.</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id2338526"></a>Analysis of C&amp;Cs</h2></div></div></div><p>During our research we found that three C&amp;C servers were used to manage the botnet. We were able to gain access to two of them and to collect some statistics. A general overview of the C&amp;C administration panel is presented in <a href="#figure.16">Figure 16</a>. The interface that allows the user to add tasks to bots is shown in <a href="#figure.17">Figure 17</a>.</p><div class="figure"><a id="figure.16"></a><div class="mediaobject"><img alt="(List of bots in the C&amp;C administration panel." src="/uploads/images/figures/2014/07/Mayhem-fig16.jpg" /></div><p class="title"><b>Figure&nbsp;16.&nbsp;(List of bots in the C&amp;C administration panel.</b></p></div><p>(Click <a href="/uploads/images/figures/2014/07/Mayhem-fig16-large.jpg" target="_top">here</a> to view a larger version of Figure 16.)</p><div class="figure"><a id="figure.17"></a><div class="mediaobject"><img alt="Task addition interface in the C&amp;C." src="/uploads/images/figures/2014/07/Mayhem-fig17.jpg" /></div><p class="title"><b>Figure&nbsp;17.&nbsp;Task addition interface in the C&amp;C.</b></p></div><p>These two C&amp;C servers managed about 1,400 bots between them. The first botnet contained about 1,100 bots, the second about 300 bots. At the time of the analysis, bots from both botnets were used to brute force WordPress passwords. A picture of the brute force task is presented in <a href="#figure.18">Figure 18</a> and some results of this brute force task are presented in <a href="#figure.19">Figure 19</a>.</p><div class="figure"><a id="figure.18"></a><div class="mediaobject"><img alt="Brute force task in the larger botnet administration panel." src="/uploads/images/figures/2014/07/Mayhem-fig18.jpg" /></div><p class="title"><b>Figure&nbsp;18.&nbsp;Brute force task in the larger botnet administration panel.</b></p></div><p>(Click <a href="/uploads/images/figures/2014/07/Mayhem-fig18-large.jpg" target="_top">here</a> to view a larger version of Figure 18.)</p><div class="figure"><a id="figure.19"></a><div class="mediaobject"><img alt="Some results of a brute force task run by the botnet." src="/uploads/images/figures/2014/07/Mayhem-fig19.jpg" /></div><p class="title"><b>Figure&nbsp;19.&nbsp;Some results of a brute force task run by the botnet.</b></p></div><p>(Click <a href="/uploads/images/figures/2014/07/Mayhem-fig19-large.jpg" target="_top">here</a> to view a larger version of Figure 19.)</p><p>The geographical distribution of the infected servers of the botnets is presented in <a href="#figure.20">Figure 20</a>. As can be seen, the countries with the highest rates of infection are USA, Russia, Germany and Canada.</p><div class="figure"><a id="figure.20"></a><div class="mediaobject"><img alt="Geographic distribution of infected servers in the larger botnet. Darker blue means more infected servers." src="/uploads/images/figures/2014/07/Mayhem-fig20.jpg" /></div><p class="title"><b>Figure&nbsp;20.&nbsp;Geographic distribution of infected servers in the larger botnet. Darker blue means more infected servers.</b></p></div><p>The third C&amp;C server had also been identified by the <span class="emphasis"><em>Malware Must Die </em></span>team [<span class="citation"><a href="#citation.1">1</a></span>], and at the time of our analysis it was switched off.</p><p>We analysed the sources of both active C&amp;C servers. Besides the main page, the sources also contain two additional PHP scripts: config.php and update.php.</p><p>The first script contains configuration data: database credentials, MD5 hash of the administrative panel, maximum pending time for tasks, bot wake up time, etc. Part of this script is shown in <a href="#figure.21">Figure 21</a>.</p><div class="figure"><a id="figure.21"></a><div class="mediaobject"><img alt="Part of the C&amp;C configuration data." src="/uploads/images/figures/2014/07/Mayhem-fig21.jpg" /></div><p class="title"><b>Figure&nbsp;21.&nbsp;Part of the C&amp;C configuration data.</b></p></div><p>(Click <a href="/uploads/images/figures/2014/07/Mayhem-fig21-large.jpg" target="_top">here</a> to view a larger version of Figure 21)</p><p>The update.php script is used for waking up bots. This script visits a host with inactive bots and runs the PHP script described in the &lsquo;Malware representation&rsquo; section.</p><p>We also found that the C&amp;C server supports a number of plug-ins that we haven&rsquo;t found in the wild. For example, a plug-in that exploits the recently identified &lsquo;Heartbleed&rsquo; vulnerability and collects data from vulnerable servers. A piece of code that describes all the available plug-ins is shown in <a href="#figure.22">Figure 22</a>.</p><div class="figure"><a id="figure.22"></a><div class="mediaobject"><img alt="This piece of code shows that there are a number of plug-ins we haven&rsquo;t seen in the wild." src="/uploads/images/figures/2014/07/Mayhem-fig22.jpg" /></div><p class="title"><b>Figure&nbsp;22.&nbsp;This piece of code shows that there are a number of plug-ins we haven&rsquo;t seen in the wild.</b></p></div><p>The C&amp;C uses MySQL and memcached (if it is available) as data storage, but plug-ins are stored on disk.</p><p>We also found that the code of the C&amp;C scripts contains a number of security flaws, but a description of these vulnerabilities is beyond the scope of this article.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id3868084"></a>Comparison with other malware families</h2></div></div></div><p>During our analysis, we found some common features shared between Mayhem and some other *nix malware. The malware is similar to &lsquo;Trololo_mod&rsquo; and &lsquo;Effusion&rsquo; [<span class="citation"><a href="#citation.11">11</a></span>] &ndash; two injectors for <span class="emphasis"><em>Apache</em></span> and <span class="emphasis"><em>Nginx</em></span> servers respectively. All three malware families have the following similarities:</p><div class="itemizedlist"><ul type="disc"><li><p>configuration has the same format</p></li><li><p>XTEA algorithm in ECB mode is used for encryption</p></li><li><p>0xDEADBEEF markers are widely used in configuration files and other parts of code</p></li><li><p>ELF headers of shared objects are corrupted in the same way.</p></li></ul></div><p>Despite a lack of evidence, we suspect that all these malware families were developed by the same gang.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id4114481"></a>Conclusions</h2></div></div></div><p>Having completed this research, we can confidently say that botnets made up of *nix web servers are becoming more and more popular, as a modern trend in malware. Why is this the case? We think the following are some of the reasons:</p><div class="itemizedlist"><ul type="disc"><li><p>Web server botnets offer a unique model of monetization through traffic redirection, drive-by download attacks, black hat SEO, etc.</p></li><li><p>Web servers have good uptime, network channels and are more powerful than ordinary personal computers.</p></li><li><p>In the *nix world, autoupdate technologies aren&rsquo;t widely used, especially in comparison with desktops and smartphones. The vast majority of webmasters and system administrators have to update their software manually and test that their infrastructure works correctly. For ordinary websites, serious maintenance is quite expensive and often webmasters don&rsquo;t have an opportunity to do it. This means it is easy for hackers to find vulnerable web servers and to use such servers in their botnets.</p></li><li><p>In the *nix world, the use of anti-virus technologies isn&rsquo;t widespread. A lot of vendors don&rsquo;t offer any proactive defence or process memory checking modules. In addition, an ordinary webmaster usually doesn&rsquo;t want to spend time reading the manuals of such software and solving possible performance issues that might occur.</p></li></ul></div><p>Mayhem is a very interesting and sophisticated piece of malware that has a flexible and complicated architecture. We hope that our research will help the security community in the struggle against such threats.</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title"><a class="chapter" id="id4464234"></a>Acknowledgements</h2></div></div></div><p>We would like to thank Fraser Howard and Charles McCathie Nevile, whose comments and suggestions helped us to improve this article.</p><div class="bibliography"><div class="titlepage"><div><div><h3 class="title"><a class="chapter" id="id3903419"></a>Bibliography</h3></div></div></div><div class="bibliomixed"><a id="citation.1"></a><p class="bibliomixed">[1] <span class="bibliosource"><a href="http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html" target="_blank">http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html</a></span>.</p></div><div class="bibliomixed"><a id="citation.2"></a><p class="bibliomixed">[2] <span class="bibliosource"><a href="http://sysadminblog.net/2013/11/fake-wordpress-plug-ins/" target="_blank">http://sysadminblog.net/2013/11/fake-wordpress-plug-ins/</a></span>.</p></div><div class="bibliomixed"><a id="citation.3"></a><p class="bibliomixed">[3] Fort Disco Bruteforce Campaign. <span class="bibliosource"><a href="http://www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/" target="_blank">http://www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/</a></span>.</p></div><div class="bibliomixed"><a id="citation.4"></a><p class="bibliomixed">[4] Wheeler, D.; Needham, R. Correction to XTEA. <span class="bibliosource"><a href="http://www.movable-type.co.uk/scripts/xxtea.pdf" target="_blank">http://www.movable-type.co.uk/scripts/xxtea.pdf</a></span>.</p></div><div class="bibliomixed"><a id="citation.5"></a><p class="bibliomixed">[5] <span class="bibliosource"><a href="https://en.wikipedia.org/w/index. PHP?title=XTEA&amp;oldid=558387953" target="_blank">http://en.wikipedia.org/w/index. PHP?title=XTEA&amp;oldid=558387953</a></span>.</p></div><div class="bibliomixed"><a id="citation.6"></a><p class="bibliomixed">[6] Wikipedia. Block cipher mode of operation. <span class="bibliosource"><a href="https://en.wikipedia.org/w/index.PHP?title=Block_cipher_mode_of_operation&amp;oldid=582012907" target="_blank">http://en.wikipedia.org/w/index.PHP?title=Block_cipher_mode_of_operation&amp;oldid=582012907</a></span>.</p></div><div class="bibliomixed"><a id="citation.7"></a><p class="bibliomixed">[7] Schneier, B. Applied Cryptography. John Wiley &amp; Sons, 1996.</p></div><div class="bibliomixed"><a id="citation.8"></a><p class="bibliomixed">[8] <span class="bibliosource"><a href="http://ultra-embedded.com/fat_filelib" target="_blank">http://ultra-embedded.com/fat_filelib</a></span>.</p></div><div class="bibliomixed"><a id="citation.9"></a><p class="bibliomixed">[9] <span class="bibliosource"><a href="https://github.com/freeoks/SD0_reader" target="_blank">https://github.com/freeoks/SD0_reader</a></span>.</p></div><div class="bibliomixed"><a id="citation.10"></a><p class="bibliomixed">[10] <span class="bibliosource"><a href="http://slre.sourceforge.net/" target="_blank">http://slre.sourceforge.net/</a></span>.</p></div><div class="bibliomixed"><a id="citation.11"></a><p class="bibliomixed">[11] Effusion &ndash; a new sophisticated injector for Nginx web servers. <span class="bibliosource"><a href="/virusbulletin/2014/01/effusion-new-sophisticated-injector-nginx-web-servers
" target="_top">https://www.virusbtn.com/virusbulletin/archive/2014/01/vb201401-Effusion</a></span>.</p></div><div class="bibliomixed"><a id="citation.12"></a><p class="bibliomixed">[12] <span class="bibliosource"><a href="https://www.linuxjournal.com/article/7795" target="_blank">http://www.linuxjournal.com/article/7795</a></span>.</p></div></div></div> </div>
<div class="col-md-3 col-sm-3 col-lg-3">
<p><a href="/uploads/pdf/magazine/2014/vb201407-Mayhem.pdf" target="_blank"><img class="ccm-image-block responsive" alt="" src="/uploads/images/buttons/pdf-download-button.jpg" onmouseover="this.src = '/uploads/images/buttons/pdf-download-button-hover.jpg'" onmouseout="this.src = '/uploads/images/buttons/pdf-download-button.jpg'" border="0" height="45" width="262"></a></p>
<div id="NDPHPBlock13359" class="NDPHPBlock">
<div style="width: 100%;"><div style='float: left; width: 20%; margin-left: auto; margin-right: auto; text-align: center;'><center><a target='_blank' title='Tweet this!' href="https://twitter.com/share?text=Mayhem – a hidden threat for *nix web servers&url=https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers"><img src='/uploads/images/buttons/twitter.png' alt='twitter.png' width='45' height='45' class='responsive' /></a></center></div><div style='float: left; width: 20%; margin-left: auto; margin-right: auto; text-align: center;'><center><a target='_blank' title='Share on Facebook' href='https://www.facebook.com/sharer.php?u=https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers'><img src='/uploads/images/buttons/fb.png' alt='fb.png' width='45' height='45' class='responsive' /></a></center></div><div style='float: left; width: 20%; margin-left: auto; margin-right: auto; text-align: center;'><center><a target='_blank' title='Share on LinkedIn' href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers&title=Mayhem – a hidden threat for *nix web servers"><img src='/uploads/images/buttons/linkedin.png' alt='linkedin.png' width='45' height='45' class='responsive' /></a></center></div><div style='float: left; width: 20%; margin-left: auto; margin-right: auto; text-align: center;'><center><a target='_blank' title='Share on Hacker News' href="https://news.ycombinator.com/submitlink?u=https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers&t=Mayhem – a hidden threat for *nix web servers"><img src='/uploads/images/buttons/hackernews.png' alt='hackernews.png' width='45' height='45' class='responsive' /></a></center></div><div style='float: left; width: 20%; margin-left: auto; margin-right: auto; text-align: center;'><center><a target='_blank' title='reddit this!' href="https://www.reddit.com/submit?url=https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threat-nix-web-servers"><img src='/uploads/images/buttons/reddit.png' alt='reddit.png' width='45' height='45' class='responsive' /></a></center></div></div></div><p> </p>
<h2>Latest articles:</h2>
<div class="ccm-page-list">
<h3 class="ccm-page-list-title">
<a href="/virusbulletin/2021/12/collector-stealer-russian-origin-credential-and-information-extractor/" target="_self">Collector-stealer: a Russian origin credential and information extractor</a>
</h3>
<div class="ccm-page-list-description">
Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&amp;C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360&hellip; </div>
<h3 class="ccm-page-list-title">
<a href="/virusbulletin/2021/06/fighting-fire-fire/" target="_self">Fighting Fire with Fire</a>
</h3>
<div class="ccm-page-list-description">
In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly&hellip; </div>
<h3 class="ccm-page-list-title">
<a href="/virusbulletin/2021/04/run-your-malicious-vba-macros-anywhere/" target="_self">Run your malicious VBA macros anywhere!</a>
</h3>
<div class="ccm-page-list-description">
Kurt Natvig wanted to understand whether it&rsquo;s possible to recompile VBA macros to another language, which could then easily be &lsquo;run&rsquo; on any gateway, thus revealing a sample&rsquo;s true nature in a safe manner. In this article he explains how he recompiled&hellip; </div>
<h3 class="ccm-page-list-title">
<a href="/virusbulletin/2021/04/dissecting-design-and-vulnerabilities-azorultccpanels/" target="_self">Dissecting the design and vulnerabilities in AZORult&nbsp;C&amp;C&nbsp;panels</a>
</h3>
<div class="ccm-page-list-description">
Aditya K Sood looks at the command-and-control (C&amp;C) design of the AZORult malware, discussing his team's findings related to the C&amp;C design and some security issues they identified during the research. </div>
<h3 class="ccm-page-list-title">
<a href="/virusbulletin/2021/02/excel-formulamacro-xlsb/" target="_self">Excel Formula/Macro in .xlsb?</a>
</h3>
<div class="ccm-page-list-description">
Excel Formula, or XLM &ndash; does it ever stop giving pain to researchers? Kurt Natvig takes us through his analysis of a new sample using the xlsb file format. </div>
</div>
<p><br /><a class="btn btn-block btn-warning" href="/virusbulletin/archive">Bulletin Archive</a></p> </div>
</div>
</div>

<footer class="bs-footer" role="contentinfo">
<div class="container">
<div class="bs-social">
<div class="row ">
<div class="col-md-3">
<p><a title="About Us" href="/about-vb/about-us/">About us</a></p>
<p><a title="Contact Us" href="/about-vb/contact-us/">Contact us</a></p>
<p><a title="Advisory Board" href="/about-vb/advisory-board/">Advisory board</a></p>
<p><a title="Press" href="/about-vb/press/">Press information</a></p>
<p><a title="Security Events Calendar" href="/resources/calendar/">Security events calendar</a></p>
<p><a title="Newsletter" href="/newsletter/">Virus Bulletin newsletter</a></p> </div>
<div class="col-md-3">
<p><a title="VB Testing" href="/testing/">Testing</a></p>
<p><a title="VB100" href="/testing/vb1001/">VB100</a></p>
<p><a title="VBSpam" href="/testing/vbspam/">VBSpam</a></p>
<p><a title="VBWeb" href="/testing/vbweb/">VBWeb</a></p>
<p><a title="Consultancy Services" href="/testing/consultancy-services/">Consultancy services</a></p>
<p><a title="The Spammers' Compendium" href="/resources/spammerscompendium/">Spammers' Compendium</a></p> </div>
<div class="col-md-3">
<p><a title="VB2021 localhost" href="/conference/vb2021/">VB2021 localhost</a></p>
<p><a title="VB2020 localhost" href="/conference/vb2020/">VB2020 localhost</a></p>
<p><a title="VB2019" href="/conference/vb2019/">VB2019 (London)</a></p>
<p><a title="VB2018" href="/conference/vb2018">VB2018 (Montreal)</a></p>
<p><a title="VB2017" href="/conference/vb2017">VB2017 (Madrid)</a></p>
<p><a title="Conference Archive" href="/conference/vb-conference-archive/">Older conferences</a></p> </div>
<div class="col-md-3">
<div class="row">
<table style="float: right;" border="0">
<tbody>
<tr>
<td align="center"><a href="/rss" target="_blank"><img title="Get our blog updates" src="/uploads/images/buttons/rss-square-gray.png" alt="rss.png" width="35" height="35" /></a></td>
<td> </td>
<td align="center"><a href="https://twitter.com/virusbtn" target="_blank"><img class="bhtmbxoyxwpzahwcvxnw" title="Visit us on Twitter" src="/uploads/images/buttons/twitter-square-gray.png" alt="twitter.png" width="35" height="35" /></a></td>
<td> </td>
<td align="center"><a href="https://www.linkedin.com/company/virus-bulletin" target="_blank"><img class="bhtmbxoyxwpzahwcvxnw" title="Visit us on LinkedIn" src="/uploads/images/buttons/linkedin-square-gray.png" alt="linkedin.png" width="35" height="35" /></a></td>
<td> </td>
<td align="center"><a href="https://www.facebook.com/virusbulletin" target="_blank"><img title="Visit us on Facebook" src="/uploads/images/buttons/fb-square-gray.png" alt="twitter.png" width="35" height="35" /></a></td>
<td> </td>
<td align="center"><a href="https://www.youtube.com/user/virusbtn" target="_blank"><img title="Visit us on Youtube" src="/uploads/images/buttons/youtube-square-gray.png" alt="youtube.png" width="35" height="35" /></a></td>
</tr>
</tbody>
</table>
</div> </div>
</div>
<div class="row ">
<div class="col-md-12">
</div>
</div>
</div>
</div>
</footer>

<footer class="bs-footer2" role="contentinfo">
<div class="container">
<div class="bs-social2">
<div class="row ">
<div class="col-md-3">
</div>
<div class="col-md-3">
</div>
<div class="col-md-3">
</div>
<div class="col-md-3">
</div>
</div>
<div class="row ">
<div class="col-md-12">
<p style="text-align: left;">©1989-2021 Virus Bulletin.        <a title="Privacy Policy" href="/about-vb/privacy-policy/">Privacy policy</a>        <a title="Cookies" href="/about-vb/privacy-policy/cookies/">Cookies</a>        <a title="Terms and Conditions" href="/about-vb/terms-and-conditions/">Terms and Conditions</a></p> </div>
</div>
</div>
</div>
</footer>

<script async src="https://www.googletagmanager.com/gtag/js?id=UA-21876594-2"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-21876594-2', { 'anonymize_ip': true });
</script><script type="text/javascript" src="/libraries/js/fancybox.load.js"></script>
<script type="text/javascript" src="/packages/bootstrap/js/common/app.js"></script>
<div id="ccm-cookiesDisclosure" class="disclosure-bottom">
<div class="disclosure-container">
<div class="disclosure-content">
<p> We have placed cookies on your device in order to improve the functionality of this site, as outlined in our <a href="/about-vb/privacy-policy/cookies" target="_blank">cookies policy</a>. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our <a href="/about-vb/privacy-policy/" target="_blank">privacy policy</a>.</p>
</div>
<div class="disclosure-form">
<form action="/index.php/cookies_disclosure/" method="POST">
<input type="hidden" name="allowCookies" value="1" />
<div class="button">
<input class="btn btn-info btn-sm" type="submit" name="submit" value="I understand. Don't show this message again!" />
</div>
</form>
</div>
<div class="ccm-spacer">&nbsp;</div>
</div>
</div>
</body>
</html>